Re: Support for NSS as a libpq TLS backend
Joshua Brindle <joshua.brindle@crunchydata.com>
From: Joshua Brindle <joshua.brindle@crunchydata.com>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Kevin Burke <kevin@burke.dev>, Jacob Champion <pchampion@vmware.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>,
"hlinnaka@iki.fi" <hlinnaka@iki.fi>, "andrew.dunstan@2ndquadrant.com" <andrew.dunstan@2ndquadrant.com>,
"sfrost@snowman.net" <sfrost@snowman.net>, "rachelmheaton@gmail.com" <rachelmheaton@gmail.com>,
"thomas.munro@gmail.com" <thomas.munro@gmail.com>, "michael@paquier.xyz" <michael@paquier.xyz>,
"andres@anarazel.de" <andres@anarazel.de>
Date: 2021-11-25T13:39:29Z
Lists: pgsql-hackers
Attachments
- Dockerfile (application/octet-stream)
On Wed, Nov 24, 2021 at 8:49 AM Joshua Brindle <joshua.brindle@crunchydata.com> wrote: > > On Wed, Nov 24, 2021 at 8:46 AM Joshua Brindle > <joshua.brindle@crunchydata.com> wrote: > > > > On Wed, Nov 24, 2021 at 6:59 AM Daniel Gustafsson <daniel@yesql.se> wrote: > > > > > > > On 23 Nov 2021, at 23:39, Joshua Brindle <joshua.brindle@crunchydata.com> wrote: > > > > > > > It no longer happens with v49, since it was a null deref of the pr_fd > > > > which no longer happens. > > > > > > > > I'll continue testing now, so far it's looking better. > > > > > > Great, thanks for confirming. I'm still keen on knowing how you triggered the > > > segfault so I can ensure there are no further bugs around there. > > > > > > > It happened when I ran psql with hostssl on the server but before I'd > > initialized my client certificate store. > > I don't know enough about NSS to know if this is problematic or not > but if I try verify-full without having the root CA in the certificate > store I get: > > $ /usr/pgsql-15/bin/psql "host=localhost sslmode=verify-full user=postgres" > psql: error: SSL error: Issuer certificate is invalid. > unable to shut down NSS context: NSS could not shutdown. Objects are > still in use. Something is strange with ssl downgrading and a bad ssldatabase [postgres@11cdfa30f763 ~]$ /usr/pgsql-15/bin/psql "ssldatabase=oops sslcert=client_cert host=localhost" Password for user postgres: <freezes here> On the server side: 2021-11-25 01:52:01.984 UTC [269] LOG: unable to handshake: Encountered end of file (PR_END_OF_FILE_ERROR) Other than that and I still haven't tested --with-llvm I've gotten everything working, including with an openssl client. Attached is a dockerfile that gets to the point where a client can connect with clientcert=verify-full. I've removed some of the old cruft and debugging from the previous versions. Thank you.
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited